Privilege Escalation Flashcards
Privilege Escalation
This lesson is going to cover the fourth stage in the MITRE ATT&CK framework, Privilege Escalation. These techniques are used to describe ways that adversaries will attempt to gain higher privileges, such as moving from a standard user to an administrator, or from an admin to a domain admin. At the time of writing currently includes 12 top-level techniques. We will be looking at the following:
Valid Accounts (4 sub-techniques) Exploitation For Privilege Escalation
Valid Accounts
MITRE Technique T1078
It is completely plausible that an adversary can immediately gain access to privileged accounts such as administrators or domain administrators provide they can obtain the credentials in one form or another. This can be achieved by using phishing emails, specifically credential harvesters where the recipients are enticed to enter in their credentials to a website that appears to be a legitimate service, such as Outlook Web Access. These credentials would then be sent to the attacker who could attempt to log in to these accounts via remote service such as Remote Desktop protocol (RDP). It is crucial that credentials are not leaked, shared, or breached to protect the accounts from being accessed by unauthorised individuals.
Taking a look at the Procedure Example table we can see that all of these entries in the screenshot are examples of advanced threats that have utilised legitimate credentials to log in to systems. The entry from APT28 is a great example where they have launched a spear phishing campaign to obtain valid credentials and also used manufacturer default credentials to log into IoT devices, giving them a foothold in the network. There are lots of great examples, so we suggest you take a look at a few more.
In the Mitigations section there are three suggestions to prevent this technique from being as effective. Firstly, hardcoded credentials should not be used in applications or website, this is where developers will create an account and put the username and password in the code so they don’t need to manually login whenever the code is run. Sometime this code can be uploaded to platforms such as Pastebin or Github where attackers can scrape it and identify credentials which they can later use to log into systems or applications. Next MITRE suggests applications using default credentials (from routers to IoT devices such as printers) should be immediately changed away from the default username and password to prevent attackers from using lists of known username and password pairs. Finally it is suggested that routine audits are conducted to identify accounts that have excessive permissions and privileges which could be a gold mine for attackers, and also identify accounts that have had their permissions changed, which could be a sign of privilege escalation through exploitation (we’ll cover this below).
Privilege Escalation Exploits
MITRE Technique T1068
Certain software or operating system functions will typically run at a higher privilege than a normal user, and by exploiting these vulnerabilities the adversary may be able to escalate the current user’s privileges, or run malicious code in the context of another program or process and gain a reverse shell at a higher level. Depending on the component that is vulnerable it could be possible for a standard user account to execute code in the context of SYSTEM on a Windows host, the highest level with unparalleled access and permissions. The same can be done to achieve ROOT permissions on a Linux-based system.
In the Procedure Examples table we can see a number of CVEs (Common Vulnerabilities and Exposures) which represent unique vulnerabilities. Let’s take a deeper dive below and explore a couple of the CVEs that have been used by advanced threats in the past.
APT28 has used CVE-2017-0263
You can find the page for this CVE here. You can find the Microsoft advisory page here.
This is an old vulnerability that occurs in the Windows operating system and is associated with the Windows kernel-mode driver failing to properly handle objects in memory. This allows an attacker to run malicious code in kernel mode (the absolute highest level), allowing them to install programs; view, change, or delete data; or create new accounts with full user rights (administrators).
To actually exploit this vulnerability the attacker would already need to have access to an account within the target environment. They could then run a specially crafted application (a ‘payload’) that could exploit the vulnerability and take control of an affected system.
APT32 has used CVE-2016-7255
You can find the page for this CVE here. You can find a third-party advisory page (with exploit code!) here.
This CVE is similar to the above one, as it is another vulnerability in kernel-mode drivers that could allow an attacker to execute code in the context of the Windows kernel. In the 3rd-party advisory linked above, there is a tab for “Exploit” which provides an exploit file that can be used to execute the vulnerability and run commands in the context of the kernel. Scripts like this are added to attack frameworks such as Metasploit so they can be used in penetration tests (but also abused by malicious actors!).
In the Mitigations section the suggestions here are based on preventing the attacker from exploiting vulnerabilities by patching them to remove the risk, developing a threat intelligence capability that will track which CVEs are actively being exploited by threat actors to provide situational awareness for the security team and prove to the business that security patching is crucial to prevent successful attacks, and also ensure that the built-in group of security tools called Exploit Guard is enabled on all Windows hosts to detect and prevent local exploitation activity.
Privilege Escalation Exploits 2
For Detection we are told to enforce deep logging using tools such as Sysmon from Sysinternals to allow us to detect process modification and creation. Endpoint detection and response (EDR) solutions can also notice and correlate changes to the operating system files that may represent exploitation activity.